A no-frills Mail Server running on Cent-OS / Fedora

• preliminaries

1. update your OS with
   yum -y update
2. fix all errors, if any and in case of kernel updates you need to run
   shutdown -r now ( or later if someone else is using the box )
3. erase to good `ol sendmail and if it is installed for some reason exim with
   yum -y erase sendmail exim
4. install Postfix the Mail Transfer Agent, Dovecot the Mail Delivery Agent and Clamav the Virus checker to protect or Windows community. We start with these two 
   yum -y install postfix dovecot
5. Spam could be a worry if we open the mail delivery to the server to the world. Since we only accept mail from white-listed senders we don't need to worry.

• configuration

1. configure Postfix
   cd /etc/postfix
   fix the aliases file
   create a my_networks file
   create a body_checks file
   create a header_checks file
   set-up the main.cf file
   set-up the master.cf file
   now check the configs with
   postfix check
   then, if everything is fixed run
   service postfix start
2. configure dovecot
   cd /etc/dovecot
   change the settings in dovecot.conf
   cd conf.d
   adjust all required *.conf files to suit
   start dovecot and check the mail logs
   service dovecot start
3. next set-up mail users, in our case for gitlab, jira and confluence and a postmaster account
   add the users, ideally with the same id(s) as on other servers
   create passwords for the mail set-up within the application
   create home directories and set-up the Maildir within.
4. test the mail delivery to the postmaster account
   and next test the out-going mail too
5. now you are ready to add the mail box details to the application and ensure to fully test the configuration. Once fully tested and working you can forget the passwords as changing passwords is a manual process on server and application.
6. as everything is working with the basics we add the Virus checking and the SSL certificates.
7. First we install and configure the Virus checker tools with
   yum -y install clamav clamav-data clamav-filesystem clamav-lib clamav-server clamav-update clamsmtp
8. The configuration is needed for regular updates and Postfix integration
   set-up the clamd.server config
   set-up the freshclam.conf file
   set-up the camsmtp.conf file
   add the filter to the postfix main.cf and master.cf
   now get the first clam database with
   /bin/freshclam --verbose
   service clamd.server start
   service clamsmtp start
   postfix stop
   postfix start
9. re-test mail sending and receiving via the virus checker and watch
   tail -f /var/log/maillog
   fix any errors
10. lastly we can add the optional SSL certificates for sending and downloading email in non-clear text.
    create the certs and place the into /etc/postfix/ssl
    then add the certs and smtpd setting into the mail.cf and the dovecot configs
    then restart postfix and dovecot and re-test the mail send/receive
    service dovecote restart
    postfix stop
    postfix start
    tail -f /var/log/maillog
    fix any errors
11. When the SSL certs are installed and show no errors, the application(s) need to be changed to pop3 over SSL and send with TLS/SSL. It should just work or else more fixing.
12. Lastly inform users where send mail to and how to use the mail functionality in the application.

UNIX Servers and Secure Access

1. Nobody has access until explicitly granted.
   
2. A UNIX firewall will be in place to limit traffic and to drop a possible mass attack.
   
3. Port monitoring and IP blocking tool will be installed for suspected mis-use.
   
4. All insecure or plain text tools are not available for use.
   These include telnet, ftp, rsh, rexec etc.
   
5. The open ports on any server are locked down to a bare minimum.
   22 - ssh for remote access and data transfer
   25 - mail server
   80 - standard web server
   443 - secure web server
   3306 - data base access with ssl/ssh
   other ports only on demand.
   
6. Security on the open ports.
   3306 - only open to other database and backup servers
   443 - open to the world, but monitored
   80 - open to the world, but monitored
   25 - open only for outgoing mail as standard
           if incoming mail is required (Jira) open, but monitored22 - open for approved staff and configured for certificate only (see below)
   other ports will be added if opened.
   
7. Where possible, http will be redirected to https.
   
8. A virus filter to protect the Windows users will be in place for servers with mail and upload access.
   
9. Servers with VNC access requirements will have this accessible via localhost and SSH certificate only.
   
10. Root log-in is locked down and replaced with sudo access after SSH connection.
    No user will have access to the ROOT password.
    
11. User access is granted via a 2048bit SSH key.
    No password log-in is available.
    After 3 failed SSH handshake attempts the account will be locked and the IP blocked with the tool see 3.
    The public key has to be registered on the server before access can happen.
    The user cannot change the access credential or the protected SSH certificate.
    
12. Every server access, successful or fail, will be logged in a audit file.
    Every sudo command is audited.
    
13. Every web site access will be logged and presented in a daily report.
    
14. Server and data backup will be in place and stored in a secure location.